Federal Council: Swiss-US Data Privacy Framework in force on 15 September 2024

14 August 2024 – At its meeting on 14 August 2024, the Federal Council decided to add the USA to the list of countries with an adequate level of data protection in accordance with Annex 1 of the Data Protection Ordinance (DPO), provided that the respective recipient is certified in accordance with the Swiss‑US Data Privacy Framework (see Switzerland tab). The amendment to Annex 1 DPO will enter into force on 15 September 2024 (see the Media release thereto).

This has the following effects in particular:

  • Various importers such as Microsoft, Google, Amazon and Salesforce have already certified themselves in accordance with the Swiss‑US Data Privacy Framework. As soon as the amendment to the DPO is in force, an exporter whose exports are subject to the Data Protection Act (DPA) can invoke the Swiss-US Data Privacy Framework.
  • Transfers within this framework are permitted without having to conclude the Standard Contractual Clauses (SCC).
  • Intra-group transfers can also rely on the Swiss-US Data Privacy Framework, provided the US recipient is certified (and can deal with the relevant obligations and requirements, including the requirements for onward transfers within the group).
  • If a transfer is based on the Swiss-US Data Privacy Framework, no Transfer Impact Assessment (TIA) is required.
  • If an exporter relies on the certification of an importer, the exporter should have it contractually guaranteed that the certification is being maintained.
  • There is nothing to be said against basing a transfer on the SCC in addition to the Swiss-US Data Privacy Framework; on the contrary, many companies will proceed in this way. In this case, a TIA can be dispensed with if the SCC are only a safety net (it can be argued that a TIA remains necessary, strictly speaking, because it is probably also an independent contractual obligation under the SCC). In Switzerland at least, the FDPIC will not require a TIA if the Swiss-US Data Privacy Framework is the basis for a transfer. If a TIA continues to be carried out, it may also be simpler because the EU adequacy decision for the EU-US Data Privacy Framework already covers part of the relevant US law – this also applies if a transfer is not covered by the EU-US Data Privacy Framework. However, exporters should consider whether the primary basis for a transfer is the Swiss-US Data Privacy Framework or the SCC. Although there is no clear obligation to make and document this decision, the consequences are not the same. For example, the requirements under the SCC and the Swiss-US Data Privacy Framework differ in terms of the information to be provided to the data subjects.
  • In the case of a transfer from Switzerland to a country with an adequate level of data protection and an onward transfer from there to a US recipient certified under the EU-US Data Privacy Framework, the EU-US Data Privacy Framework covers the onward transfer. The DPA does not apply to this case of onward transfer (because, unlike the GDPR, it does not “infect” the entire chain), nor does the US importer also have to be certified under the Swiss-US Data Privacy Framework for this case.